Week 10

1
Week 10

• Short Lecture
• Lab

2
POP Quiz

• What is the security spec for 802.11?
• Define TKIP?
• How can you locate a rogue AP?
• Which tool is used to attack ipsec deployments?
• What is VOID11 used for?
• What encryption standard is WEP based on?

3
Wireless Is Addicting
Once You Use It
You Cant Live without It
4
So what is the business impact of security?

• According to the Computer Crime and Security
  Survey 2002, by the Computer Security Institute
  (CSI) and the FBI
• 44 of respondents (223 total) were able to
  quantify financial losses of 455M, or 2.05M per
  survey respondent
• 90 detected computer security breaches within
  the last 12 months. 80 acknowledged financial
  loss due to breach.
• 85 detected computer viruses
• 40 experienced Denial-of-Service attacks

Source FBI and Computer Security Institute
(CSI) Computer Crime and Security Survey
2002 Link http//www.gocsi.com
5
Technology, Process, People
Baseline Technology Standards, Encryption,
Protection Product security features Security
tools and products
Planning for Security Prevention Detection
Reaction
Dedicated Staff Training Security - a mindset and
a priority
6
Intro to Wireless Networks Tools and Technologies

• Internet Authentication Server (IAS)
• Acts as a RADIUS proxy
• Handle authentication requests
• Remote Authentication Dial-in User Server
  (RADIUS)
• Extensible Authentication Protocol (EAP)

7
Setting up a Wireless Network Authentication
Services

• Open System
• Does not provide authentication
• Identification using the wireless adapter's MAC
  address
• Shared Key
• Verifies that an authenticating wireless client
  has knowledge of a shared secret key
• Similar to preshared key authentication in
  Internet Protocol security (IPsec)

8
Setting up a Wireless Network Authentication

• EAP-TLS
• Does not require any dependencies on the user
  account password
• Authentication occurs automatically, with no
  intervention by the user
• Uses certificates, providing a strong
  authentication scheme

9
Setting up a Wireless NetworkActive Directory

• IAS as a RADIUS proxy security considerations
• Shared secrets
• Firewall configuration
• Message Authenticator attribute
• Using IPSec filters to lock down IAS proxy
  servers
• Password Authentication Protocol (PAP)

10
Setting up a Wireless Network Security Issues
With 802.11

• No per-packet authentication
• Vulnerability to disassociation attacks
• No user identification and authentication
• No central authentication, authorization, and
  accounting support
• RC4 stream cipher is vulnerable to known plain
  text attacks
• Some implementations derive WEP keys from
  passwords
• No support for extended authentication

11
Security in a Wireless World Basic Steps to
Authentication
CHALLENGE
ID
12
Security in a Wireless World Basic Steps to
Authentication
RADIUS
REQUEST
SUCCESS
ID
KEY
13
Dynamic WEP Key Management
Fast Ethernet
RADIUS
Laptop computer
Access Blocked
802.11 Associate
802.11
RADIUS
EAPOW
EAPOL-Start
EAP-Request/Identity
Radius-Access-Request
EAP-Response/Identity
Radius-Access-Challenge
EAP-Request
EAP-Response (Credential)
Radius-Access-Request
Radius-Access-Accept
EAP-Success
EAPW-Key (WEP)
Access Allowed
14
Security in a Wireless World RADIUS Best
Practices

• Deployment
• Implement EAP and EAP types that use strong
  authentication methods
• Implement authentication methods that use mutual
  authentication
• If you implement PAP authentication, disable its
  use by default
• If you implement CHAP authentication, use a
  strong CHAP challenge

15
Security in a Wireless World RADIUS Best
Practices

• Implementation
• Strong shared secrets
• Use a different shared secret
• Require Message-Authenticator attribute
• Disable the use of LAN Manager encoding
• A strong EAP and an EAP type

16
Pros Cons of Wireless Security
17
Pros Cons of Wireless Security
18
Six-Steps for Wireless Security

• Enable 128-bit session encryption
• Configure RADIUS server authentication
• Force 30-minute periodic authentication for all
  users
• Source Computerworld

• Require use of VPN to access critical resources
• Restrict LAN access rights by role
• Implement two-factor authentication scheme using
  access tokens

19
Challenge Message

• Radius server sends challenge to client via
  access point
• This challenge packet will vary for each
  authentication attempt
• The challenge is pulled from information
  contained a table of known secrets
• New challenge can be sent at intervals based on
  Radius server settings, or upon client roaming

20
Calculated HASH

• Client responds with a calculated value using a
  one way hash function
• This value is derived from a known secrets list

Start
21
Authentication Granted/Denied

• Radius server checks response against it own
  calculated hash
• If it matches, then authentication is
  acknowledged to AP and client
• If authentication is not achieved, the AP will
  not permit any traffic for that client to pass

22
Six-Steps for Wireless Security

• Enable 128-bit session encryption
• Configure RADIUS server authentication
• Force 30-minute periodic authentication for all
  users
• Source Computerworld

• Require use of VPN to access critical resources
• Restrict LAN access rights by role
• Implement two-factor authentication scheme using
  access tokens

23
Why LEAP ?

• Cisco Lightweight EAP (LEAP) Authentication type
• No native EAP support currently available on
  legacy operating systems
• EAP-MD5 does not do mutual authentication
• EAP-TLS (certificates/PKI) too intense for
  security baseline feature-set
• Quick support on multitude of host systems
• Lightweight implementation reduces support
  requirements on host systems
• Need support in backend for delivery of session
  key to access points to speak WEP with client

24
ATT Labs Technical Report TD-4ZCPZZ.

• Using the Fluhrer, Mantin, and Shamir paper a
  practical test was conducted by ATT Labs. In
  this document the statement is made
• There do exist proprietary solutions that allow
  each mobile node to use a distinct WEP key, most
  notably Ciscos LEAP protocol. LEAP sets up a
  per-user, per-session WEP key when a user first
  authenticates to the network. This complicates
  the attack, but does not prevent it so long as a
  users session lasts sufficiently long.

25
Cisco LEAP Deployment
Wireless
LEAPRadius Server
EAP Access Point
Laptop Computer with LEAP Supplicant
Backbone
Ethernet

• Network Logon
• Win 95/98
• Win NT
• Win 2K
• Win CE
• MacOS
• Linux

• Radius
• Cisco Secure ACS 2.6
• Authentication database
• Can use Windows user database

• Driver for OS x
• LEAP Authentication support
• Dynamic WEP key support
• Capable of speaking EAP

• Radius DLL
• LEAP Authentication support
• MS-MPPE-Send-key support
• EAP extensions for Radius

• EAP Authenticator
• EAP-LEAP today
• EAP-TLS today

Client/Supplicant
Backend/Radius server
Authenticator
26
Security Evolution

• Static keying
• WEP (Wired Equivalent Privacy)
• TKIP (Temporal Key Integrity Protocol)
• AES (Advanced Encryption Standard)
• IEEE 802.1x dynamic keying (EAP-TLS, EAP-TTLS,
  PEAP)
• IEEE 802.1x dynamic WEP keying
• IEEE 802.1x dynamic TKIP keying
• IEEE 802.1x dynamic AES keying
• VPN (Virtual Private Network) over WLAN

27
TKIP

• Unique dynamic TKIP key by mixing WEP keys with
  MAC address.
• MIC (Message Integrity Code) prevents hackers
  from forging packets in the air.

28
IEEE 802.11i

• IEEE802.1x (EAP-TLS, EAP-TTLS, PEAP)
• TKIP
• AES-CCMP
• Needs new hardware.
• Secure IBSS (Ad-hoc)
• Secure handoff

29
IEEE 802.1x in Action (EAP-MD5)
Notebook
Access Point
RADIUS Server
30
Community Hacking Efforts

• Warchalking Leaving cryptic symbols to inform
  others about free WLAN connections
• More hype than hot

31
Built-in WLAN Security

• Wired Equivalent Privacy (WEP)
• Provides encryption based on RC-4 cipher
• Wireless Protected Access (WAP)
• Uses dynamic keys and advanced encryption
• 802.1x
• Provides authentication using Extensible
  Authentication Protocol (EAP)
• 802.11i
• Advanced encryption and authentication

32
802.11i and WPA

• Uses 802.1x authentication
• Uses Temporal Key Integrity Protocol (TKIP) to
  dynamically change encryption keys after 10,000
  packets are transferred
• Uses Advanced Encryption Standard (AES)
  encryption, which is much better than WEP
• A subset of 802.11i, Wi-Fi Protected Access (WAP)
  is available as a firmware upgrade today

33
802.11i and WPA Pitfalls

• Keys can be cracked using much less than 10,000
  packets
• Michael feature shuts down AP if it receives
  two login attempts within one second. Hackers can
  use this to perpetrate a DoS attack.
• 802.11i is yet to be released (Sometime in 2003?)

34
Quiz
35
Homework

• Describe Radius authentication in your own words.